[Snort-users] More on the "BAD TRAFFIC udp port 0" front

Jason Haar Jason.Haar at ...294...
Mon May 6 20:43:03 EDT 2002


I'm now sure this is fragmentation related...

We're getting this snort alert quite often, so I ran up tcpdump and captured
packets from one of the hosts that appeared to be generating such events.

What I'm seeing is that when snort says "BAD TRAFFIC udp port 0", I see a
fragment. The remote host in question is an Active Directory controller
trying to talk to our Active Directory controller. It uses Kerberos over
NetBIOS and the packets are indeed big enough to cause fragmentation - esp.
as we run our WAN over IPSec tunnels (MTU: 1460).

It looks like snorts defrag preprocessor isn't assosiating these packets
with the rest of the session? I have tried "frag2" and "defrag" - neither
makes any difference. Trying "defrag2" makes snort-1.8.6 return:

*WARNING*: unknown preprocessor "defrag2", ignoring

- so something's amiss there!

Anyway, even though I can time-correlate tcpdump seeing a fragment with
snort forming an alert, if I feed the tcpdump capture back into snort - it
doesn't trigger an alert...

--- SNORT ALERT -----
grep " snort: " /var/adm/messages |grep BAD|grep 11:33:54
May  6 11:33:54 ids snort: [1:525:4] BAD TRAFFIC udp port 0 traffic
[Classification: Misc activity] [Priority: 3]: <eth2> {UDP} 5.6.7.8:0
-> 1.2.3.4:0

----------------------


------- TCPDUMP -------------
tcpdump -n -r /tmp/tcp.log -l|grep 11:33:54
11:33:54.827850 5.6.7.8 > 1.2.3.4: (frag 43822:11 at ...5795...)
11:33:54.851794 5.6.7.8.53032 > 1.2.3.4.kerberos:  (frag 43822:1416 at ...183...+)
11:33:54.860379 1.2.3.4.kerberos > 5.6.7.8.53032: 

--------------------------

Any ideas, I still have the tcpdump trace if anyone's interested...

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list